SitePoint Sponsor

User Tag List

View Poll Results: Ever Heard of [Pattern match "tar\\\\x20" at POST_PAYLOAD] ?

Voters
32. You may not vote on this poll
  • Yes

    0 0%
  • No

    32 100.00%
Results 1 to 24 of 24
  1. #1
    SitePoint Enthusiast Onur's Avatar
    Join Date
    Oct 2004
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Yes or No Poll Question

    Have you ever heard of:

    Pattern match "tar\\\\x20" at POST_PAYLOAD

    Just select Yes or No.

    For those interested:
    This is a mod_security pattern match, which prevents me from sending messages containing expression "tar " (the syllable "tar" and a space character) in them, through my formmail. So I could not send a "tartar sauce" recipe with my formmail, for example.

    My host says this is a very common mod_security rule, and I want to see if it is really that common. I searched on Google and found nothing about this pattern.

    Please vote, even if it is a "No".

    Thank you!

  2. #2
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,807
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    erm... nope, not heard of that one.
    And shouldn't it be %20 for a space....
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  3. #3
    SitePoint Enthusiast Onur's Avatar
    Join Date
    Oct 2004
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    \\x20 is an ASCII space char I think. I am also assuming that the other 2 backslashes are for escaping the original backslashes.

  4. #4
    SitePoint Enthusiast Onur's Avatar
    Join Date
    Oct 2004
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is this a valid way of checking for all the "tar"s in the message body:

    Code:
    $msg = preg_replace('/tar/', '', $msg);

  5. #5
    SitePoint Enthusiast Onur's Avatar
    Join Date
    Oct 2004
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks a lot everyone!

  6. #6
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)

    tar

    NO, but....
    I imagine the regex is looking for files with the tar extension. You wouldn't want users uploading them to your site anymore than you would want them to upload zip, exe, or bat files.

  7. #7
    SitePoint Enthusiast Onur's Avatar
    Join Date
    Oct 2004
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah, I imagine that is what the regex is trying to do, but the thing is it is blocking my text message containing the syllable "tar" so I assume there is something wrong with the mod_security configuration, or there is some other problem that I just cannot figure out.

    I have tried to string replace and preg replace this "tar " with something else to no avail. Maybe it is a header issue... My problem remains and I haven't been able to convince the host to make a change in their mod_security ruleset.

    I am very, very stuck.

  8. #8
    SitePoint Zealot uberman's Avatar
    Join Date
    Mar 2006
    Location
    Leon MX
    Posts
    107
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    no, sorry
    Alan Maciel PM NOW
    Web 2.0 Solutions Developer PM for quotations
    übernetics
    Web 2.0 Software Solutions for business.

  9. #9
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)

    bad regex

    I believe that
    Code:
    tar\\\\x20
    matches something like tar space
    I can't see an uploaded tar file not being in any other syntax than
    [filename.tar ]so it is true that the regex needs the "tar space. And I can understand the hosts reluctance to not have it there. But considering that all tar files will have the "." before the "tar" unlike words like guitar or tartar, the regex would still, and only, work with tar files if the regex looked more like
    Code:
    \.tar\\\\x20
    Perhaps if you beg the host nicely to add the "." to the regex filter, he would. Especially if you have a legitimate need to allow ---tar words.

  10. #10
    From downunder but sure 2 rise Hazardous's Avatar
    Join Date
    Aug 2003
    Location
    New Zealand
    Posts
    361
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thats a no for me
    Hazardous
    My Blog

  11. #11

  12. #12
    SitePoint Evangelist Rodney H.'s Avatar
    Join Date
    Sep 2005
    Location
    Chicago, IL
    Posts
    479
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nope, me neither...

  13. #13
    SitePoint Enthusiast Onur's Avatar
    Join Date
    Oct 2004
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague
    I believe that
    Code:
    tar\\\\x20
    matches something like tar space
    I can't see an uploaded tar file not being in any other syntax than
    [filename.tar ]so it is true that the regex needs the "tar space. And I can understand the hosts reluctance to not have it there. But considering that all tar files will have the "." before the "tar" unlike words like guitar or tartar, the regex would still, and only, work with tar files if the regex looked more like
    Code:
    \.tar\\\\x20
    Perhaps if you beg the host nicely to add the "." to the regex filter, he would. Especially if you have a legitimate need to allow ---tar words.
    Yes, I was thinking this morning about the dot before the file extension as well. The funny thing is their mod_security only checks for the *.tar extension (well it doesn't even check for the extension, just the tar+space combo inside the friggin text), and not *.zip, *.exe, or anything else. This is very strange. I don't think I will be able to convince the host to change their regex, since the guy I had to deal with on the support team was indifferent to anything I had to say and just gave me the "you are the only one complaining" routine.

    The only thing I can do is find out the domains hosted on the same server as mine and try this "tar " thing with their contact forms. If they all return the same error, I email these sites to point out the issue. They take it to the host (hopefully) and the regex gets fixed.

  14. #14
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)

    stubborn host

    You could contact other sites on the server. Other than that, the only way around it that I can think of is to use your own regex to replace the substring with something that would never occur and then change it back. eg. replace "tar" with "JJJ"

  15. #15
    SitePoint Enthusiast Onur's Avatar
    Join Date
    Oct 2004
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you for your assistance, Mittineague. I will try and replace it.

    Thanks everyone else for your votes! I appreciate it.

  16. #16
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,578
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    In regards to the posts about a period before "tar" in the file extension... mod_security doesn't just look at uploaded files, it's checking query strings and POST payloads for commands as well. It's quite possible, through poor coding in hundreds of widely used PHP scripts, to execute commands on others' servers through the web server. Common commands would include wget'ing files, tar to unzip archives, perl or sh to execute scripts as parts of taking control of the system.

  17. #17
    SitePoint Enthusiast Onur's Avatar
    Join Date
    Oct 2004
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wow, thank you for pointing this out Dan. That would still mean their regex is blocking more than it should, since for "tar" to qualify as a command, it should be used as a stand-alone substring and not part of a word (i.e. the ending syllable or suffix), right?

  18. #18
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,578
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    They're going to want to match as much suspect user input as possible. A single rule to match both filenames and the command seems appropriate, doesn't it?

    If their rule is matching the word "tar" as part of normal text it may be over protective, but at least understand what they're trying to do. I've first hand experience that it's virtually impossible to keep people from compromising a server running mainstream PHP software without a set of mod_security rules.

  19. #19
    SitePoint Enthusiast Onur's Avatar
    Join Date
    Oct 2004
    Posts
    68
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Sure, I understand the importance of mod_security for well... security. My frustration is (was) that the host's security system was blocking something (a valid, meaningful text message) that is not supposed to cause any security problems. Of course, they cannot know what the next thing to cause a security problem on the server will be, but that does not justify blocking something that doesn't have the potential to cause any problems. They could have two separate rules for command execution and file uploads.

    I guess it is hard to maintain server security. I have to say I probably lost a few years of my life with the stress my ignorance about it caused me. It is possible that I wouldn't have even heard of mod_security for a long time if this didn't happen.

    Anyway, thank you for your valuable input, Dan, I appreciate it.

  20. #20
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    17,290
    Mentioned
    198 Post(s)
    Tagged
    3 Thread(s)

    security

    Good point abouit the "'." point. I have read that it is better security to create conditions that only allow certain things rather than to create conditions that limit certain things. Granted it would be easier to systematically screen for known threats as opposed to putting together a library of known acceptables. (hmmmm. sounds like a niche void. I wonder what the market is like for security techs?)

  21. #21
    SitePoint Enthusiast Joel Farris's Avatar
    Join Date
    Jul 2004
    Location
    Nashville, TN
    Posts
    54
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Dan Grossman
    They're going to want to match as much suspect user input as possible. A single rule to match both filenames and the command seems appropriate, doesn't it? If their rule is matching the word "tar" as part of normal text it may be over protective, but at least understand what they're trying to do. >snip<
    Dan,

    Good point. But, I wonder why the mod security rule is not checking for the existance of SPACE tar SPACE (the command line tar), and also PERIOD tar SPACE (the filename extension)? Might it be that by trying to craft them both into one rule, the web host is inadvertantly consuming ascii words like ashtar and scimitar? Sure, the first rule would block legit phrases like "pre-historic tar pits", but that's much less intrusive that eating all words that contain the letters T A R.
    <!-- Joel Farris -->
    "I woulda brought my printer to this meeting,
    but they wouldn't allow any Sharp objects on the plane!"

  22. #22
    SitePoint Enthusiast Joel Farris's Avatar
    Join Date
    Jul 2004
    Location
    Nashville, TN
    Posts
    54
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague
    >snip< (hmmmm. sounds like a niche void. I wonder what the market is like for security techs?)
    Well, IE 7 is rolling out, and VISTA is not far behind that.

    I'd say the chances of people needing security experts are slim to none once VISTA hits the streets. Everyone in the world will upgrade, and crackers won't have anything productive to do with all their free time. Ahh, yes, the world will be a safe place again.

    ACHOOO!

    Woah, that was a big one. Hey, how long was I out?
    <!-- Joel Farris -->
    "I woulda brought my printer to this meeting,
    but they wouldn't allow any Sharp objects on the plane!"

  23. #23
    Now available in Orange Tijmen's Avatar
    Join Date
    Jul 2004
    Location
    The Netherlands
    Posts
    1,469
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Never heard of it, and so far 30 other people with me.
    Travel Photos on Flickr - Twitter

    “Never give up. Never surrender”

  24. #24
    Follow Me On Twitter: @djg gold trophysilver trophybronze trophy Dan Grossman's Avatar
    Join Date
    Aug 2000
    Location
    Philadephia, PA
    Posts
    20,578
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Therefore mod_security doesn't actually exist? Interesting theory.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •